What UK SMEs Need to Know About Cybersecurity Laws

The UK’s cybersecurity regulations continue to evolve as hybrid work expands, third-party risk grows, and cross-border data flows accelerate. For small and medium-sized enterprises (SMEs), keeping pace is not optional. Embedding compliance into every layer of your cybersecurity strategy is critical to defending data, avoiding regulatory penalties, and maintaining trust.

This article outlines the key cybersecurity laws in the UK and highlights real-world examples of companies that failed to comply. Each regulation is explained with a cybersecurity focus, showing what it is, how to stay compliant, and what can go wrong when you don’t.

UK-GDPR

The UK General Data Protection Regulation (UK-GDPR) governs how businesses collect, process, store, and share personal data. It came into effect after Brexit and largely mirrors the EU's GDPR. Requires prompt reporting of data breaches, helping to mitigate damage and improve response strategies.

How to comply:

• Report personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours.
• Ensure data protection by design and by default.
• Conduct third-party due diligence to ensure vendors meet GDPR standards.

Case study

Interserve was fined £4.4 million in 2022 after hackers accessed the personal data of over 100,000 employees through a phishing attack. The ICO found that Interserve failed to patch systems and maintain secure infrastructure, core GDPR obligations.

Data Protection Act 2018 (DPA 2018)

DPA 2018 supplements UK-GDPR and provides guidance on law enforcement access, national security exemptions, and processing of special category data. Provides additional rules for law enforcement and national security, ensuring sensitive data is protected.  Mandates robust security measures for sensitive data, reducing the risk of breaches.

How to comply:

• Limit and secure sensitive data, such as health or biometric data.
• Conduct Data Protection Impact Assessments (DPIAs) for high-risk activities.
• Audit access logs and enforce least privilege principles.

Case study:

Carphone Warehouse was fined £400,000 in 2018 after a cyberattack exposed personal data due to outdated software and inadequate security measures. The failure to assess and mitigate risks violated the DPA’s risk-based security requirements.

NIS2 Directive

Though part of EU law, the UK is aligning closely with NIS2, which expands its predecessor’s scope to include digital infrastructure and critical services like healthcare and telecom. It enhances cybersecurity for essential services like healthcare and energy, ensuring they remain operational during cyber incidents.

How to comply:

• Report cyber incidents within 24 hours.
• Perform regular risk assessments and cybersecurity audits.
• Ensure board-level accountability for cybersecurity strategy.

Case study:

Sellafield Ltd was fined £332,500 in 2024 after vulnerabilities in outdated systems and poor oversight left critical operations exposed. A lack of robust cyber hygiene and compliance planning were cited in the ruling.

DORA

The Digital Operational Resilience Act (DORA) is an EU law applying to financial institutions and their tech vendors. UK-based firms operating in the EU must comply. Focuses on operational continuity for financial entities, ensuring they can withstand IT disruptions and vendor failures. Mandate security measures for third-party providers, reducing supply chain vulnerabilities.

How to comply:

• Conduct regular digital resilience testing.
• Log and analyse security incidents.
• Manage vendor risks across your supply chain.
  
  

Computer Misuse Act 1990

The UK's foundational law against hacking and unauthorised access. Makes unauthorised access and data breaches illegal, deterring cybercriminals. Requires organisations to implement access controls and audit user activity, enhancing security.

How to comply:

• Deploy robust access control systems.
• Monitor system activity and enforce user authentication.
• Educate staff on cybersecurity hygiene.

Telecoms Security Act 2021

Requires telecom providers to implement strong cybersecurity controls to protect the UK’s communications infrastructure from state-sponsored threats. Introduces required security practices for telecom providers, ensuring network security. Emphasises due diligence for vendors, reducing risks from third-party products and services.

How to comply:

• Conduct ongoing risk assessments.
• Enforce supply chain cybersecurity controls.
• Review vendor compliance regularly.

Emerging Laws to Watch in 2025

• EU Cyber Resilience Act: Impacts companies exporting secure-by-design software into Europe.
• AI Act: May apply to AI used in fraud detection and behavioural analytics.
• UK Operational Resilience Framework: Emphasises third-party risk and scenario-based planning.

Staying informed about these changes is essential to future-proof your compliance efforts.

Why Noncompliance is a Business Risk

Failure to comply with cybersecurity laws can result in:

• Fines in the millions.
• Loss of business due to reputational harm.
• Regulatory investigations and lawsuits.
• Breaches that expose sensitive data and shut down operations.

For SMEs, these outcomes can be existential. The solution is to treat compliance not as a checkbox, but as a foundation of your cybersecurity program.

Need Help Navigating Cybersecurity Compliance?

At Fitzrovia IT, we help SMEs implement robust cybersecurity and compliance strategies. From cloud security to compliance assessments, we tailor solutions to your regulatory environment.

Contact our experts today to safeguard your business and meet UK cybersecurity requirements with confidence.